DefRec: Establishing Physical Function Virtualization to Disrupt Reconnaissance of Power Grids’ Cyber-Physical Infrastructures Hui Lin 1 , Jianing Zhuang 1 , Yih-Chun Hu 2 , Huayu Zhou 1 1 University of Nevada, Reno 2 University of Illinois, Urbana-Champaign 1
2
From Passive Detection to Preemptive Prevention • Preemptive approaches disrupting reconnaissance before an adversary starts to inflict physical damage are highly desirable – Preventing reconnaissance on a critical set of physical data can cover more attacks, including unknown ones • Research gap to design practical and efficient anti- reconnaissance approaches – Mimicking system behaviors can be easily detected – Simulations (used in honeypots) are based on a static specification • E.g., inconsistent to proprietary implementation – No not model physical processes 3
Threat Model • We assume that adversaries can compromise any computing devices connected to the control network – Passive attacks monitor network traffic to obtain the knowledge of power grids’ cyber-physical infrastructures – Proactive attacks achieve the same goal by using probing messages – Active attacks manipulate network traffic, including dropping, delaying, compromising existing network packets, or injecting new packets • Passive and proactive attacks are common techniques used in reconnaissance, while active attacks are used to issue attack- concept operations and cause physical damage 4
Design Objective • Disrupt and mislead attackers’ reconnaissance based on passive and proactive attacks, such that their active attacks become ineffective – RO1 & RO2: significantly delay passive and proactive attacks for obtaining the knowledge of the control network – RO3: leverage intelligently crafted decoy data to mislead adversaries into designing ineffective attacks 5
Design Overview of DefRec based on PFV 6
Design Overview of DefRec based on PFV PFV (physical function virtualization): construct virtual nodes that follow the actual implementation of real devices • Complementary to existing Trusted computing base (TCB): security approaches • Network controller application • Edge switches • A few end devices (used as seed devices) • Communication channels connecting them 6
Design Overview of DefRec based on PFV DefRec: specify security policies to disrupt reconnaissance PFV (physical function virtualization): construct virtual nodes that follow the actual implementation of real devices • Complementary to existing Trusted computing base (TCB): security approaches • Network controller application • Edge switches • A few end devices (used as seed devices) • Communication channels connecting them 6
Design Overview of DefRec based on PFV DefRec: specify security policies to disrupt reconnaissance Bus 7 Bus 6 PFV (physical function virtualization): construct virtual nodes that follow the actual implementation of real devices • Complementary to existing Trusted computing base (TCB): security approaches • Network controller application • Edge switches • A few end devices (used as seed devices) • Communication channels connecting them 6
Implementation • Communication networks • Implementation of PFV & DefRec • Physical device • Power grid simulation 7
Implementation – Communication Network • Follow implementation presented in a NSDI paper [1] – Obtained the logical topology of six different communication networks from TopologyZoo dataset – Implemented each network in five HP SDN-compatible switches – In each switch, we grouped physical ports into VLANs (virtual local area network), each of which represents a logical switch; connect VLANs by Ethernet cables – Built Docker instances in seven HP servers as end hosts • Need to enhance each server with Ethernet ports – Implemented DNP3 master and slaves based on opendnp3 library • Alternative approach: use cloud infrastructure, e.g., NSF Geni testbed – Need to configure virtual switches manually – The number of hardware switches are very limited [1] W. Zhou et al., “Enforcing customizable consistency properties in software-defined 8 networks,” in 12th USENIX NSDI, 2015.
Implementation – PFV • PFV: use interaction of real • Virtual node template devices to build virtual nodes – Static configuration of – Virtual node template target network – Profile of seed devices • Profile of physical – Packet hooking component devices – Dynamic behavior at network-layer • Packet hooking component – Construct the outbound packets of virtual nodes – Follow the probabilistic behavior of real devices 9
Implementation – PFV • PFV: use interaction of real • Virtual node template devices to build virtual nodes – Static configuration of – Virtual node template target network – Profile of seed devices • Profile of physical – Packet hooking component devices – Dynamic behavior at network-layer • Packet hooking component – Construct the outbound packets of virtual nodes – Follow the probabilistic behavior of real devices 9
Implementation – PFV • PFV: use interaction of real • Virtual node template devices to build virtual nodes – Static configuration of – Virtual node template target network – Profile of seed devices • Profile of physical – Packet hooking component devices – Dynamic behavior at network-layer • Packet hooking component – Construct the outbound packets of virtual nodes – Follow the probabilistic behavior of real devices 9
Implementation – PFV • PFV: use interaction of real • Virtual node template devices to build virtual nodes – Static configuration of – Virtual node template target network – Profile of seed devices • Profile of physical – Packet hooking component devices – Dynamic behavior at network-layer • Packet hooking component – Construct the outbound packets of virtual nodes – Follow the probabilistic behavior of real devices 9
Implementation – PFV • PFV: use interaction of real • Virtual node template devices to build virtual nodes – Static configuration of – Virtual node template target network – Profile of seed devices • Profile of physical – Packet hooking component devices – Dynamic behavior at network-layer • Packet hooking component – Construct the outbound packets of virtual nodes – Follow the probabilistic behavior of real devices 9
Implementation – PFV • PFV: use interaction of real • Virtual node template devices to build virtual nodes – Static configuration of – Virtual node template target network – Profile of seed devices • Profile of physical – Packet hooking component devices – Dynamic behavior at network-layer • Packet hooking component – Construct the outbound packets of virtual nodes – Follow the probabilistic behavior of real devices 9
Implementation – PFV • PFV: use interaction of real • Implemented based on devices to build virtual nodes SDN (software-defined – Virtual node template networking) – Profile of seed devices – Follow implementation – Packet hooking component found in both security and network communities – ONOS, open source network operating system used in commercial networks – Implemented an encoder/decoder of DNP3 in ONOS core services – Implemented software modules loaded by ONOS core services 10
Attack Misleading Policy for Physical Infrastructure • RO3: craft decoy data as the application-layer payload of network packets from virtual nodes – Mislead adversaries into designing ineffective attacks – Satisfy physical model of power grids 11
Attack Misleading Policy for Physical Infrastructure • RO3: craft decoy data as the application-layer payload of network packets from virtual nodes – Mislead adversaries into designing ineffective attacks – Satisfy physical model of power grids • We use the theoretical model of false data injection attack (FDIAs) as a case study 11
Attack Misleading Policy for Physical Infrastructure • RO3: craft decoy data as the application-layer payload of network packets from virtual nodes – Mislead adversaries into designing ineffective attacks – Satisfy physical model of power grids • We use the theoretical model of An example power grid false data injection attack (FDIAs) as a case study – With accurate knowledge of power grids’ topology, active attacks can compromise measurements without raising alerts in state estimation • Measurement errors are less than a detection threshold 11
Attack Misleading Policy for Physical Infrastructure • RO3: craft decoy data as the application-layer payload of network packets from virtual nodes – Mislead adversaries into designing ineffective attacks – Satisfy physical model of power grids • We use the theoretical model of An example power grid false data injection attack (FDIAs) as a case study – With accurate knowledge of power grids’ topology, active attacks can compromise measurements without raising alerts in state estimation • Measurement errors are less than a detection threshold – With misleading knowledge of power grids’ topology, active attacks raise The power grid with decoy data alerts in state estimation observed by adversaries • Measurement errors are 5,000 times of the detection threshold 11
Recommend
More recommend